The first in its fall technology series, the FTC held a public workshop yesterday on ransomware. According to experts on hand for the event, ransomware is the most profitable malware type in history. FTC Chairwoman Edith Ramirez said not only is it prevalent and dangerous, there are challenges associated with thwarting it, including its rapid proliferation, the many vectors of attack and the vast array of harms. It's an issue of interest to the FTC in its pursuit to protect consumers, but also because, according to Ramirez, failure to address known vulnerabilities may violate the FTC Act.
First, to level-set: Ransomware is a piece of malware — malicious software — that is inadvertently downloaded by a user and then blocks access to a computer or device until a sum of money, usually in bitcoin, is paid to the designers of the malware. Often, the interaction is actually quite civil. There might even be a "support desk" that victims can call to figure out how to acquire bitcoin and use it to pay off the hackers.
Bill Wright, director of cybersecurity partnerships at Symantec, said the most important way to mitigate risk is to train end-users, because it's they who are consistently "getting fooled by the same social engineering phishing attacks." Wright said phishing attacks represent 91 percent of all ransomware incidents.
Keith McCammon, chief security officer of threat-detection company Red Canary, said advising people to avoid malware such as this isn't anything new. But the infection vector continues to evolve. One of the newer ways infection happens is through serving consumers malicious ads on trusted sites, something known as malvertising, and that's a problem because one potential solution would be ad-blocking, something the advertising industry is vehemently against for obvious reasons. Craig Williams of the Talos Outreach team said that's the number one threat to consumers these days, partly because, besides directing consumers to a malicious server, the malware generally also has built-in mechanisms to stop researchers from verifying it's malicious via intrusion-prevention systems.
"It's no longer an academic threat," he said of ransomware. "It's something we're seeing in the wild."
Williams added that we're not dealing with "hackers in the basement." Ransomware criminals are bringing in enough profit from attacks that they're able to hire professional teams to help them facilitate ransomware payments, for example. He said some outfits have the funding of a small nation-state. The real game-changer, he said, was the advent of bitcoin, because it supplied a virtually untraceable system to distribute currency.
Some outfits have the funding of a small nation-state.
Nor is it any wonder they're making money. Think of a hospital setting, said Wright. By specifically targeting doctors and hospital administrators, criminals know they're locking up potentially life-saving information, "which creates extra pressure to pay the ransom quickly." And then there's the other side of the coin: Rather than say they'll destroy the data, the criminals threaten to make it public, which would lead to a massive data breach for many firms. The ransom is a no-brainer. It's way cheaper than the clean-up would be.
Lorrie Cranor, CIPT, currently the FTC's chief technologist, said the best defense is good hygiene, consumer awareness and ongoing education. She recalled a recent experience describing to family she'd be speaking on today's panel, to which they replied, "Wait, what's ransomware?" There's not yet enough general knowledge of ransomware, she said.
Bill Hardin works at Charles River Associates and works frequently on clients who've been hit by ransomware. He said he tells his clients to do CPR, that is: contain the event, preserve the evidence and then remediate. If the data taken lived on the cloud, cut the connection to the cloud.
Serge Jorgensen said it's important to figure out how you got it so the same mistake doesn't repeat itself. Make sure to sanitize the machine or device that was affected and also whatever infection vector is involved. And if you engage with the attacker, "do it from an anonymous account or through an intermediary," he said.
The FBI's Will Bales didn't pause when asked what the agency's position was on paying ransom. His advice: Don't do it.
The FBI's Will Bales didn't pause when asked what the agency's position was on paying ransom. His advice: Don't do it.
"The FBI's position is we do not condone payment," he said. "Success breeds success," so payment only encourages extortionists. He said, however, that if an organization did choose to pay the attackers, it should still contact the FBI.
"We're still sympathetic," Bales said, adding the agency would certainly still work with the affected organization. Either way, if an organization gets hit with a ransomware attack, the FBI wants to know about it right away, he added.
Cranor said, in the end, the best thing to do is help users make judgements about what links to click and what to avoid. At Carnegie Mellon, from where she is on leave as a researcher and professor, Cranor and her students conducted an experiment. They watched experts to study which links they'd click and which they'd avoid. They found that experts tend to look at URLs closely, examining whether the URL seems to align with the site they're aiming to get to in that situation.
"Can we teach consumers that?" Cranor asked rhetorically.
For now, it's CPOs and CISOs who have the most to gain by doing that education.